Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

CHICAGO . – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

* Security budgets remain low
* Organizations often don’t have a response plan for threats or a security breach
* A designated Chief Security Officer or Chief Information Security Officer is not in place

In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

“Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

Other key survey results include:

Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

“Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.